Questions about this topic? Sign up to ask in the talk tab.

Iptables whitelist

From NetSec
Revision as of 20:12, 18 June 2015 by User (Talk | contribs) (Starting article)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

There is a lot of documentation available for iptables on the internet, but less in the way of creating a secure set of rules. This guide is intended to provide the most secure firewall setup possible--one that drops all traffic except traffic that has been added to a whitelist. If you rely on blacklisting attackers, they can always come from another IP address and your rules get larger and more expensive to traverse. Whitelisting provides a small set of rules that provide only the functionality you need and nothing more.

iptables -F

  1. Set the default policies on all of the filter table chains to DROP. This means that

iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP

iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT

iptables -A OUTPUT -p udp --dport 53 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p udp --sport 53 -m conntrack --ctstate ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp -m multiport --sports 80,443 -m conntrack --ctstate ESTABLISHED -j ACCEPT

iptables -N LOGSERVER iptables -A INPUT -p tcp -m multiport --dports 22,3306 -m conntrack --ctstate NEW -j LOGSERVER iptables -A LOGSERVER -m limit --limit 5/min -j LOG --log-prefix "SYN to server: " --log-level warning iptables -A LOGSERVER -j RETURN